From 8d5434ef2dd8f9f5e5538a171d73434632fa012d Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@ncsa.illinois.edu>
Date: Mon, 11 Mar 2013 10:54:51 -0500
Subject: [PATCH 1/2] Fix large memory allocation in IP fragment reassembly. 
 Addresses #961.

Patch by jbaines modified slightly to return earlier so that the
problem packet can't cause any state change in the FragReassembler.
---
 src/Frag.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/Frag.cc b/src/Frag.cc
index d873f5bc0c..4b9047d072 100644
--- a/src/Frag.cc
+++ b/src/Frag.cc
@@ -100,6 +100,13 @@ void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt)
 	int offset = ip->FragOffset();
 	int len = ip->TotalLen();
 	int hdr_len = ip->HdrLen();
+
+	if ( len < hdr_len )
+		{
+		s->Weird("fragment_protocol_inconsistency", ip);
+		return;
+		}
+
 	int upper_seq = offset + len - hdr_len;
 
 	if ( ! offset )

From 90ca2b87c4b21611a0c7ef37c0e1c465c36f270f Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@ncsa.illinois.edu>
Date: Mon, 11 Mar 2013 11:58:54 -0500
Subject: [PATCH 2/2] Add check for truncated link frames.  Addresses #962.

Patch provided by jbaines, modified with a more descriptive Weird name.
---
 src/Sessions.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/Sessions.cc b/src/Sessions.cc
index 6f42e5726b..2e5a6ded30 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -223,6 +223,12 @@ void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr,
 		// we look to see if what we have is consistent with an
 		// IPv4 packet.  If not, it's either ARP or IPv6 or weird.
 
+		if ( hdr_size > static_cast<int>(hdr->caplen) )
+			{
+			Weird("truncated_link_frame", hdr, pkt);
+			return;
+			}
+
 		uint32 caplen = hdr->caplen - hdr_size;
 		if ( caplen < sizeof(struct ip) )
 			{